• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

FreeBSD 9.2 behind NAT trouble

Started by saenara, October 29, 2013, 06:17:54 AM

Previous topic - Next topic

saenara

Hi!

Really getting stuck what is wrong with my configuration so supply me with a little advice, please.

FreeBSD -- Cisco 3845 -- internet -- he.net

Endpoints:
me: 91.231.188.11
HE: 216.66.80.90

Cisco

arnie#show ver
Cisco IOS Software, 3800 Software (C3845-ADVENTERPRISEK9-M), Version 12.4(24)T5, RELEASE SOFTWARE (fc3)
...
arnie#show run | i 91.231.188.11
ip nat inside source static 192.168.167.8 91.231.188.11 extendable
arnie#show ip nat trans | i 91.231.188.11
41  91.231.188.11:0       192.168.167.8:0       216.66.80.90:0        216.66.80.90:0
--- 91.231.188.11         192.168.167.8         ---                   ---


FreeBSD box:

root@saenara# uname -a
FreeBSD saenara 9.2-RELEASE FreeBSD 9.2-RELEASE #0 r255898: Thu Sep 26 22:50:31 UTC 2013     root@bake.isc.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64
root@saenara# ifconfig gif0
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
tunnel inet 192.168.167.8 --> 216.66.80.90
inet6 fe80::215:17ff:fec9:431e%gif0 prefixlen 64 scopeid 0xd
inet6 2001:470:27:78a::2 --> 2001:470:27:78a::1 prefixlen 128
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
options=1<ACCEPT_REV_ETHIP_VER>


Any firewalling disabled for a while. Now trying ping6

root@saenara# ping6 2001:470:27:78a::1
PING6(56=40+8+8 bytes) 2001:470:27:78a::2 --> 2001:470:27:78a::1
^C
--- 2001:470:27:78a::1 ping6 statistics ---
5 packets transmitted, 0 packets received, 100.0% packet loss


Sniffing gif interface:

root@saenara# tcpdump -pi gif0 -n
tcpdump: WARNING: gif0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on gif0, link-type NULL (BSD loopback), capture size 65535 bytes
17:01:39.013069 IP6 2001:470:27:78a::2 > 2001:470:27:78a::1: ICMP6, echo request, seq 0, length 16
17:01:40.013318 IP6 2001:470:27:78a::2 > 2001:470:27:78a::1: ICMP6, echo request, seq 1, length 16
17:01:41.013309 IP6 2001:470:27:78a::2 > 2001:470:27:78a::1: ICMP6, echo request, seq 2, length 16
17:01:42.013308 IP6 2001:470:27:78a::2 > 2001:470:27:78a::1: ICMP6, echo request, seq 3, length 16
17:01:43.013312 IP6 2001:470:27:78a::2 > 2001:470:27:78a::1: ICMP6, echo request, seq 4, length 16
17:01:44.012304 IP6 2001:470:27:78a::2 > 2001:470:27:78a::1: ICMP6, neighbor solicitation, who has 2001:470:27:78a::1, length 24
17:01:45.012291 IP6 2001:470:27:78a::2 > 2001:470:27:78a::1: ICMP6, neighbor solicitation, who has 2001:470:27:78a::1, length 24
17:01:46.012292 IP6 2001:470:27:78a::2 > 2001:470:27:78a::1: ICMP6, neighbor solicitation, who has 2001:470:27:78a::1, length 24


But! Sniffing LAN interface same moment:

root@saenara# tcpdump -pi em0 -n -s 0 host 216.66.80.90
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:01:39.013084 IP 192.168.167.8 > 216.66.80.90: IP6 2001:470:27:78a::2 > 2001:470:27:78a::1: ICMP6, echo request, seq 0, length 16
17:01:39.087578 IP 216.66.80.90 > 192.168.167.8: IP6 2001:470:27:78a::1 > 2001:470:27:78a::2: ICMP6, echo reply, seq 0, length 16
17:01:40.013324 IP 192.168.167.8 > 216.66.80.90: IP6 2001:470:27:78a::2 > 2001:470:27:78a::1: ICMP6, echo request, seq 1, length 16
17:01:40.087827 IP 216.66.80.90 > 192.168.167.8: IP6 2001:470:27:78a::1 > 2001:470:27:78a::2: ICMP6, echo reply, seq 1, length 16
17:01:41.013314 IP 192.168.167.8 > 216.66.80.90: IP6 2001:470:27:78a::2 > 2001:470:27:78a::1: ICMP6, echo request, seq 2, length 16
17:01:41.088413 IP 216.66.80.90 > 192.168.167.8: IP6 2001:470:27:78a::1 > 2001:470:27:78a::2: ICMP6, echo reply, seq 2, length 16
17:01:42.013313 IP 192.168.167.8 > 216.66.80.90: IP6 2001:470:27:78a::2 > 2001:470:27:78a::1: ICMP6, echo request, seq 3, length 16
17:01:42.088519 IP 216.66.80.90 > 192.168.167.8: IP6 2001:470:27:78a::1 > 2001:470:27:78a::2: ICMP6, echo reply, seq 3, length 16
17:01:43.013317 IP 192.168.167.8 > 216.66.80.90: IP6 2001:470:27:78a::2 > 2001:470:27:78a::1: ICMP6, echo request, seq 4, length 16
17:01:43.087941 IP 216.66.80.90 > 192.168.167.8: IP6 2001:470:27:78a::1 > 2001:470:27:78a::2: ICMP6, echo reply, seq 4, length 16
17:01:44.012312 IP 192.168.167.8 > 216.66.80.90: IP6 2001:470:27:78a::2 > 2001:470:27:78a::1: ICMP6, neighbor solicitation, who has 2001:470:27:78a::1, length 24
17:01:44.087566 IP 216.66.80.90 > 192.168.167.8: IP6 2001:470:27:78a::1 > 2001:470:27:78a::2: ICMP6, neighbor advertisement, tgt is 2001:470:27:78a::1, length 24
17:01:45.012299 IP 192.168.167.8 > 216.66.80.90: IP6 2001:470:27:78a::2 > 2001:470:27:78a::1: ICMP6, neighbor solicitation, who has 2001:470:27:78a::1, length 24
17:01:45.088201 IP 216.66.80.90 > 192.168.167.8: IP6 2001:470:27:78a::1 > 2001:470:27:78a::2: ICMP6, neighbor advertisement, tgt is 2001:470:27:78a::1, length 24
17:01:46.012298 IP 192.168.167.8 > 216.66.80.90: IP6 2001:470:27:78a::2 > 2001:470:27:78a::1: ICMP6, neighbor solicitation, who has 2001:470:27:78a::1, length 24
17:01:46.086669 IP 216.66.80.90 > 192.168.167.8: IP6 2001:470:27:78a::1 > 2001:470:27:78a::2: ICMP6, neighbor advertisement, tgt is 2001:470:27:78a::1, length 24


BSD box rc.conf fragment:

cloned_interfaces="bridge0 vlan100 gif0"
ipv6_network_interfaces="lo0 br0 gif0"
gif_interfaces="gif0"

ipv6_activate_all_interfaces="NO"

ifconfig_bridge0_name="br0"

gifconfig_gif0="192.168.167.8 216.66.80.90"

ifconfig_em0="inet 192.168.167.2/24"
ifconfig_em0_alias0="inet 192.168.167.8/32"
ifconfig_em1="up"
ifconfig_br0="addm em0 addm em1 up"

defaultrouter="192.168.167.1"

ifconfig_gif0_ipv6="inet6 2001:470:27:78a::2 2001:470:27:78a::1 prefixlen 128 up"
ifconfig_br0_ipv6="inet6 2001:470:27:78a::3 prefixlen 64"
ipv6_defaultrouter="2001:470:27:78a::1"
ipv6_gateway_enable="YES"
rtadvd_enable="YES"
rtadvd_interfaces="br0"



So, as it seems to me ipip (Proto#41) NAT passthrough successful, BSD box receives packets back from HE endpoint but completely ignores ones.

Makes me crazy so help, please!

cholzhauer

FWIW, here's my config on FreeBSD 9.  This started on 6.x and I had to adapt it to get it working; I don't know if the changes I'm still using are required or not, but it works great for me


ipv6_activate_all_interfaces="YES"
gif_interfaces="gif1"
gifconfig_gif1="205.251.163.10 209.51.181.2"
ipv6_gateway_enable="YES"
ipv6_ifconfig_gif1="2001:470:1f10:2aa::2/64"
ipv6_defaultrouter="-interface gif1"
ipv6_network_interfaces="em0 gif1 lo0"
ipv6_prefix_em0="2001:470:c27d:d000"
ipv6_ifconfig_em0="2001:470:c27d:d000::1"


saenara

Thank you cholzhauer for you advice!
Unfortunately config doesn't matter up to this case cause it's just a way to automagically issue ifconfig commands at system startup.
As far as I dove into the trouble it seems to me be more appropriate to redirect question to FreeBSD team.
Once any advice will arrived I'll post it here.